Talking about identity at large is a concept vague enough to be operationally ineffective, and as David Birch said during a podcast, “the problem of fixing everything in identity sounds insurmountable” and that “it is better to look for sectoral solutions than global ones”. There are many areas that need to be addressed in the identity space, as identity involves determining what attributes can be used to identify an individual, how to prove them over time, when to share them, and what a person can do with them.
According to One World Identity (OWI) there are five core identity use cases: identity creation, verification, authentication, authorization and federation; and, as some of these may overlap in certain applications, it is crucial to establish clear definitions for each of them, in order to support businesses in identifying problems within the identity ecosystem.
Identity creation
Identity creation is the new rendition of an identity that can be used in future transactions. For most people in the world, the most basic way of creating an identity takes place in the form of government birth registration. Interestingly enough, things also undergo an identity creation process. For example, mobile handsets are assigned a unique International Mobile Equipment Identity (IMEI), while automobiles receive Vehicle Identification Numbers (VINs).
Many use cases of creation simply generate a unique identifier within a system, without consideration for verifying any attributes, or even ensuring an underlying uniqueness of that individual.
Identity verification/Identity proofing/Digital onboarding
Verification is proving that specific identity attributes are actually connected to the person, entity, or thing that they are intended to represent. According to Josje Fiolet, Digital Onboarding lead at INNOPAY, video identification, reading the chip of the document via NFC (Near-Field Communication), using eID solutions, or taking a picture of the ID document can enable businesses to answer questions such as ‘Is the customers document valid?’, or ‘Is the person really who he/she claims to be?’.
To build a reliable profile of the customer, other techniques can also be considered. The trail of data that we leave behind may not be an identification method in itself, but it can serve as an additional step when building a trustworthy profile. For example, our activity on social networks can be used to provide a certain level of assurance of someone’s identity, and the account’s profile picture can be matched with the picture in the identification document.
Online authentication - “Could I use a password for that?”
Authentication is demonstrating ownership and control of a unique feature connected to an identity over time. With the majority of mobile devices being shipped with built-in biometric features like fingerprint scanners and facial recognition, many banks, merchants, and retailers are considering biometrics as a good option to improve the user’s authentication experience.
However, as biometrics become progressively more important to authentication, financial institutions must be able to assess the level of risk associated with enrolling a new authenticator. Just because a user is logged into a session does not mean that their goal in enrolling a new biometric should be trusted. This will become especially important as out-of-band mobile biometrics becomes more important for either login or step-up authentication in online banking, and as biometrics enabled by laptops and desktops begins to play a significant role in online banking.
Identity authorization
Authorization is determining what a user is allowed to do based on their identity. Authorization typically combines verification with authentication to grant a user permission to perform certain actions. According to OWI, a trend in authorization has been to move from role-based (a defined set of static permissions) to attribute-based (a more dynamic set of permissions).
Authorization fundamentally requires flexibility, as both roles and attributes change frequently and users authenticate (or fail to authenticate) into systems on a regular basis.
Identity federation – “How can we tell other people it’s you?”
Federation is conveying identity attributes, authentication or even authorization across multiple parties. The most visible manifestation of identity federation are the single-sign on (SSO) configurations by which a user can access multiple service providers through a single authentication process. Common examples include entering Facebook credentials to set up a Pinterest account, or using Google account to sign in to Airbnb. Federation of verified attributes has started to gain traction, and in certain markets — such as the Nordics with NemID and BankID — this model is actually fairly mature.
Identity related services have seen an unprecedented volume of investment from regtech to cybersecurity, or to data automation, and businesses need to understand these concepts to be able to navigate through this sea of identity verification and authentication platforms. There are companies on the market equipped with technologies that support delivering convenient access users’ demand, while securing critical data and infrastructure, and more. Some of these companies are featured in The Paypers’ Identity Verification and Online Authentication Solution Providers Infographic.
Whether it is in front of a webcam or of a smartphone, Jumio can verify the authenticity of an ID, a document, or a user’s real-world identity. The company combines computer vision technology with machine learning and uses live verification experts to check credentials (e.g., passports, drivers licenses, etc.) issued by over 200 countries.
By leveraging machine learning technology, Onfido validates a user’s identity document and compares it with their facial biometrics. The identity can then be cross-referenced against international credit and watchlist databases. The company aims to bring everyone’s legal identities online – similar as Facebook created social identities online and LinkedIn professional identities for users.
Biometrics, in general, and behavioural biometrics, in particular, play an important role in identity authentication. Companies such as SecuredTouch turn the devices that we use daily – the mobile, our car, smart home, watch, etc. – into identifiers by analysing the way we interact. Their product, ContinewID, provides user access control over the entire device or individual applications, selectively blocking access to sensitive information and actions. It can identify subscribers or reinforce parental controls on multi-user devices.
ThreatMetrix Smart Authentication combines risk-based authentication (RBA) with strong customer authentication (SCA) to support businesses understand the true identity of a connecting user, based on dynamic, global digital identity intelligence that is persistent and updated in real time. The solution integrates services for additional assurance such as 2FA and Carrier ID.
When operating in a regulated business environment, or if the security requirements demand a high level of certainty of the user’s identity, public eIDs are a good choice. Signicat Assure delivers a wide selection of public eID-schemes which can be used for identity proofing, including BankID in Norway, BankID in Sweden, NemID in Denmark, Tupas in Finland, DNIe in Spain, iDIN in Netherlands and ESTeID in Estonia.
Relying on traditional identity verification approaches is no longer sufficient or appropriate for digital channels; it is time for organisations to leverage machine learning, AI or biometrics for onboarding processes and look at modern authentication techniques as the way forward.
About Mirela Ciobanu
Mirela Ciobanu is Senior Editor at The Paypers and has been actively involved in covering digital payments - related topics, especially in the cryptocurrency, online security and fraud prevention space. She is passionate about finding the latest news on data breaches, machine learning, digital identity, and blockchain and she is an active advocate of the need to keep our online data/presence protected. Mirela has a bachelor’s degree in English language and holds a Master’s degree in Marketing.
Like this story? Subscribe for more.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now